I have been working with Microsoft’s Desired State Configuration (DSC) for a few months now. Version 5 seems to have most of the shortcomings of version 4 ironed out and I must admit after the initial learning curve is over it is a very flexible tool for making configuration changes.

Working on automating virtual machine build configuration with DSC one thing I really wanted was a DSC resource to allow any outstanding Windows Server Update Services (WSUS) patches to apply once the VM was deployed. If you haven’t used it yet the best place for getting DSC resources is the PowerShell Gallery; there are heaps of useful DSC resources for lots of different things including third party applications/vendors. The problem was, no matter how hard I looked I could not find a resource that would allow me to just install all outstanding WSUS patches. So I decided to get it working myself and found this page by Greg Shields with a PowerShell WSUS Big Red Button script. After some successful testing on Windows 2008 R2 and 2012 R2, I re-worked the PowerShell into a DSC script resource that can be used in any DSC. See code below:

And there you have it. If you would like the full script for generating the configuration it can be found [edit: I found some comments were not right and fixed, updated to version 2] here.

Adding the above configuration item to a DSC will install any outstanding patches. After the DSC has run you can then check it is in compliance. The above can also be used to install patches in places that don’t use Microsoft’s System Center Configuration Manager (SCCM). I hope the above helps out people who want to use DSC in anger for initial server configuration!